[LINK] certificates

Craig Sanders cas at taz.net.au
Mon Jan 15 08:56:11 AEDT 2007


On Mon, Jan 15, 2007 at 04:40:46AM +1100, Howard Lowndes wrote:
> Craig Sanders wrote:

> >>>or
> >>>- doesn't match the site's details (i.e. domain name)
> >>A common problem for virtual web sites.
> >
> >only when the site is run by idiots.
> 
> Don't be insulting.  

it may be insulting but it's also a fact. anyone running ssl sites ought
to at least know how they work and how to set them up.

> Go to my site at https:lannet.com.au/mail and you 
> will see what I mean.  

i presume you meant "https://WWW.lannet.com.au/mail" because the
certificate you have is for lannet.com.au and works fine for that
domain. it whinges, however, if you go to https://www.lannet.com.au/ -
because www.lannet.com.au is a different domain than lannet.com.au, just
as foo.com.au is different from bar.com.au

a browser can not assume that a sub-domain (or hostname within a domain
- e.g. "www.lannet.com.au") is equivalent to the domain itself (e.g.
"lannet.com.au") - otherwise a cert for ".com.au" or even ".com" could
undermine the entire system.

> Do you have a solution for that, 

yes. a wildcard certificate, for "*.lannet.com.au". 

you can buy them from several commercial CAs, or you can generate them
yourself with openssl.

try a google search for "wildcard ssl certificate".

> because even Apache don't?  From their FAQ:
>
> "Why is it not possible to use Name-Based Virtual Hosting to identify
> different SSL virtual hosts?

that's a limitation of NAME-BASED virtual hosts only, not of all virtual
hosts. if you want to do SSL encrypted virtual hosting then you MUST
assign a unique IP address (or unique port number) per secure vhost.
non-ssl sites can share an IP and use name-based vhosting, ssl sites
require their own IP or port. the Apache FAQ you quoted explains why.

that has NOTHING to do with the certificate, or whether it matches the
site's details. it is entirely possible - and easy - to have multiple
virtual hosts on a server, each with its own ssl certificate. all it
takes is a little bit of a clue.

if you don't understand that, then perhaps you shouldn't be running ssl
sites.



craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)



More information about the Link mailing list